Both end users and IT professionals can benefit from knowing more about combating the threats they face, but there are other people who have something to learn: the marketers whose attempts at putting across their messages stray over the line into spamming, and the communications people whose irresponsible use of email risks undoing the good work of educators in training us to spot scams and cons.

Social engineering, phishing and spamming

Phishing and social engineering are at the heart of a lot of cybercrime. We regularly hear of smart new phishing campaigns, like the recent fake Microsoft update phish, or an institution that’s had data leaked thanks to its staff falling for phishing emails – one of the latest being Saint Louis University (why is it alwaysuniversities?) which allowed someone access to health data on 3,000 individuals.

These are criminal activities of course, and occasionally lead to prosecution and imprisonment for those behind the campaigns, as in the recent case of a UK resident locked up for five years for his part in a bank phishing campaign which netted £750,000.

We have spam and web filters to help protect people from their attacks, and there are email standards designed to help filters recognise when emails are from a legitimate source.

For the most part we rely on teaching people how not to fall for the scams. We pick out common tell-tale signs, such as spoofed email details or disguised links, and show people how to spot them. We urge them to act with caution and try to avoid being rushed into poor decisions.

But after years of hammering these points home, as scientific studies keep showing, we’re still not good at spotting scams. The phishing methods still work, and as new technologies appear, so do different avenues of attack.

Recent stats from the Australian Communications and Media Authority (ACMA) show another rise in SMS spam, and they’ve had to fine a nightclub for texting 50,000 people without proper opt-out info.

The ACMA also hit back at an online retailer hit with a record fine for spamming its customer lists. That’s a fair bit of activity for just one country, in just the past week or so.

Legitimate spamming?

You may notice something different about these last two cases though: these are legitimate businesses trying to market their products.

But they’ve gone about it in a way which contravenes spam laws, which in itself implies they’ve gone well beyond what most people would consider intrusive – spam laws tend to be designed not to get in the way of marketing activity too much.

If we are constantly bombarded with mass mails from everyone we’ve ever dealt with, and anyone they feel like sharing their address lists with, we come to normalise all this spam. This makes harder for us, with our limited attention spans and rushed-off-our-feet modern lifestyles, to remain alert to cleverly crafted tricks and scams.

Banks and other institutions handling our sensitive data also fail to heed good advice, and send out mails warning us of problems with our accounts while providing helpful links to take us to the login page.

We’re trying to teach people to be wary of such emails and always use a known-good bookmark or type in an address manually rather than following a link, so having examples of what we’re warning against prove to be legitimate and genuine only serves to dim the value of the educational effort.

Another group with similar problems are application developers whose apps demand more rights than strictly necessary. We’re trying to teach people not to blindly approve requests for access to their network connection, their contact lists, or their location. When apps are always asking for access to these things, how are users supposed to tell the legit ones from the scams and cons?

Finally, of course, there are social network providers who rely on hoovering up as much personal information as they can to sell on to advertisers. While these may be something of a lost cause, perhaps one day they’ll learn that overly-complex privacy settings and aggressively harvesting people’s information isn’t going to win them any friends.

Lessons to be learned

So if you’re one of these people, please heed the educational message too.

OK so you’ve got things to sell, you’ve got messages you need to get eyes on, but please think about what you’re doing.

If you’ve got a marketing message you want to show someone, make it clear that’s what you’re doing. Make sure you only mail people who’re OK with that, and make sure you provide means for them to tell you if they change their mind.

Don’t try and lure people to your website with promises of wonders and delights, then try and scrape as much personal information out of them as you can.

If you’re a bank and need to get an urgent message to your customers, maybe email is a good technique, but make sure your customers have agreed to be emailed ahead of time. And try not to make your emails look like every fake phishing scam in the book.

Make it clear that people should always be wary and distrustful of emails. Make them type in an address or use a bookmark. Don’t give them a link however much easier you think you’re making things for them.

If you’re building an app and need to have it supported by ads, that’s fine, just make sure they’re not intrusive, or demand device or data access that you don’t really need. If you need access to features or information, make that clear at every opportunity, and explain why.

If people with legitimate messages stick to legitimate techniques, don’t try to trick or scam people and never ask for more than they really need, then it’s going to be easy to spot when someone is asking for something we shouldn’t give them.

Post navigation

About the author

John Hawes is Chief of Operations at <a href="http://www.virusbtn.com">Virus Bulletin</a>, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (<a href="http://www.amtso.org">AMTSO</a>) in 2011.

A classic example is the email sent out recently by Adobe to everyone whose password may have been compromised. It had a link labeled click here to reset your password, and when I, as a savvy IT professional, tried to go to the Adobe site and change my password the normal way I was rejected and informed that it was required that I use the email link.

Not just in cyberspace that this is a problem. I recently had a phone call from an off-shore person saying that he was from my bank and wanted some details to verify my account. I told him in no uncertain terms where to go. Except, of course, it turned out to be genuine ( I phoned up the bank's help line ) I suggested later (when I went into my branch) that I need to verify the bank as much as they need to check me. (Like I ask them for a pass phrase that I know is genuine)

My experience was with HP. Upon contacting customer support, regarding recovery disks for an old laptop, I was asked for my email address. Foolishly I gave it out. Less than a week later HP emailed me with some product solicitation. Granted they also included an opt-out provision but it did irk me that they used customer support as a way to "grow" their mailing list.